Evil Corp – or at least a hacking group associated with it – is messing things up.
Client reported(Opens in a new window) that a threat actor it tracked as UNC2165 appears to be related to the cybercrime group that was sanctioned(Opens in a new window) by the US Treasury Department in 2019 for using “the Dridex malware to infect computers and collect credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft.”
These sanctions prevent companies from paying a ransom to restore access to their systems. Financially motivated threat actors like Evil Corp don’t target organizations for fun or try to advance a nation-state’s agenda, so they need to maximize their chances of getting paid. That means they need to make it harder for their victims to identify them.
Because of this, Mandiant says hacker groups linked to Evil Corp have used a variety of ransomware strains over the past two years. The groups initially used WastedLocker(Opens in a new window)but after this ransomware’s connection to Evil Corp was revealed, they switched to a ransomware family called Hades(Opens in a new window). Now they have started using a ransomware-as-a-service (RaaS) called Lockbit.
Mandiant says leveraging a RaaS offering for groups affiliated with Evil Corp. are connected, it makes sense:
Recommended by our editors
Both the notoriety of LOCKBIT over the past few years and its successful use by several different threat clusters likely made the ransomware an attractive choice. Using this RaaS would allow UNC2165 to mingle with other affiliates, which requires insight into earlier stages of the attack lifecycle to properly attribute the activity, compared to previous operations that may have resulted from the use of an exclusive ransomware. Additionally, HADES’ frequent code updates and rebranding required development resources, and it is plausible that UNC2165 saw the use of LOCKBIT as a cheaper choice.
The company expects similar groups to “take steps like this to disguise their identities to ensure that this is not a limiting factor in receiving payments from victims.” Sanctions probably won’t stop ransomware gangs from pursuing more organizations, but at least they make it harder for these cybercriminals.
More information on how Mandiant connected the dots between UNC2165 and Evil Corp, as well as details on the hacking group’s activities, are available in the company’s report.
Do you like what you read?
Sign up for security guard Newsletters for our top privacy and security stories, delivered straight to your inbox.